Manual deactivation of drive encryption

Our systems group rebuilds computers over the network using SCCM. They need a way to remove MDE first, as they don't have access to ePO. I thought the manual removal process was just what I needed until I read that you have to deactivate the system using ePO before you can manually remove MDE. The whole point of a manual removal process is so that you don't have to use ePO to remove the product. What is the point in having a manual removal process when there is not a manual decryption/deactivation process to go with it? I still need to go into ePO to decrypt and deactivate so I may as well remove it at the same time.

If you are going to have a manual removal process, you should be able to do the whole removal, not just the second half. Sure you can use DETECH to decrypt it, but once again you can also use it to remove the product. Plus you have to be physically present at the system in order to run DETECH. Without a way to manually deactivate/decrypt a system, the whole manual removal process is useless. Either I have to go in and decrypt every system before it is rebuilt, or I have to give 40 or 50 people access to ePO and the ability to change tags and policies on systems, just so they can remove MDE for a rebuild.

Re: Manual deactivation of drive encryption

For re-imaging a machine (or upgrading the OS) you may want to look at the temporary autoboot feature. It does require it to be allowed in a policy which needs to communicate with ePO prior to using it. That may be an issues in your case.

Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.